On July 16, 2014, Cisco made an announcement saying that 9 of their home networking products had severe problems related to their security.

This security problem will allow a cybercriminal to take complete control of these devices without anyone’s knowledge. This will let them monitor and control all internet traffic coming into or out of the home. Security experts have rated this problem a 10 out of 10 because it is so easy for criminals to deploy and can cause real damage.

At the time of disclosure, Cisco also announced that it had a way to fix this problem and released new software to do it. This fix will allow these devices to remain secure. However, the only one able to apply this fix is by having the people who ultimately control it do it. Normally, this means an ISP.

Rogers in Canada is a major Internet Service Provider, and has provided a large number of their subscribers these vulnerable devices.

Rogers customers who have these devices must rely on Rogers to fix them. However, Rogers seems to be unaware that a problem even exists.

It’s very easy for cybercriminals to find the internet addresses of homes that have these devices, and are Rogers customers.

An easy way to understand the problem is this: Imagine you live in an apartment complex where everyone has the same brand of deadbolt lock on their front door. One day the lock manufacturer announces that criminals have found a way to open these locks in under five seconds using only a paperclip and very limited skill. They also say that there’s an easy way to fix this problem by purchasing a clip that goes inside the lock and costs a dollar. You call the apartment manager to see if he’s going to buy and install these clips, and he tells you not to worry because “that stuff you read on the internet probably isn’t even true”. You try to buy the clip yourself, but the manufacture will only sell them to the true owner – in this case the apartment building and not you. And oh yeah, all of the criminal gangs know which apartment buildings are using these problematic locks. That’s the situation we’re in.

Another Phone Call To Rogers

I called Rogers earlier today to see if any progress is being made on this problem. The guy I spoke with clearly had no idea about what I was talking about, but did offer to let me speak with his manager. I agreed.

The manager didn’t seem to know what I was talking about either, but she was willing to listen to me. After telling her my story, she simply told me that there are lots of crazy things out on the internet and I shouldn’t believe all of them. She also told me not to get too upset over any vulnerability in a piece of networking equipment since “all equipment has vulnerabilities”. I explained that I understood that, and in fact was involved with a product and website that specifically dealt with the security of home modems and routers. I explained that this was no ordinary product bug and gave her multiple places to look on the internet to verify all that I was saying.

She went away for a little while and came back and said that yes, she did see some evidence of what I was speaking about. Good, did you see the Cisco Security Advisory? No, she saw people taking about it on the Rogers Community Forums. And of course, “Anyone can post anything there”.

She did say that she would open up a ticket so that the Rogers network engineers could look into it and see if there was anything there. Not really sure what to think anymore…

It all just reminds me of the great quote from Fabio Assolini of Kaspersky Labs:

“The negligence of the manufacturers, the neglect of the ISPs and ignorance of official government agencies create a perfect storm, enabling cybercriminals to attack at will.”